Fake login page for Lancaster University – one of the institutions targeted

The hacking group has targeted at least 18 British universities, according to researchers. The list includes top-flight institutions. But it also includes less well-known destinations which are notable for being among a select group certified by the National Cyber Security Centre (NCSC) to provide degrees in cybersecurity.

It is not known whether the universities were singled out because of their affiliation, but half of those targeted by the hackers are on the NCSC-certified list, including Warwick and Lancaster. The attacks are believed to be linked to a previous campaign which US officials blamed on Iranians, in which dozens of universities were hacked and their research published on two Iranian websites.

People with U.K. university log-ins were sent phishing emails to trick them into giving up their passwords.

Lancaster University said a small number of recipients fell for the hackers’ attack and entered their credentials. The University reset their passwords and investigated whether any information had been lost.

“We were aware of the phishing campaign, which posed as a library notification and directed the user to the fake page,” a spokeswoman said. “The University blocked the link and all those targeted by the campaign were individually notified by the University.”

A Warwick University spokesman said its use of two-factor authentication would have prevented data theft. “There is no evidence of any data loss around sensitive or valuable research material at Warwick by [cyberattacks],” said a spokesman.

Students who take the certified cybersecurity degrees are not guaranteed a job with GCHQ or the National Cyber Security Centre, but will likely end up occupying senior positions protecting the UK’s largest companies and institutions from cyberattack.

The hackers sent their targets a fake email to trick them into logging in, thereby revealing their passwords. To make the emails look genuine the hackers created spoofed websites similar to the genuine universities’ sites.

The registration of the websites shows the hackers have been active in the last few months. A fake site for Warwick University, where cybersecurity masters courses are NCSC-certified, was set up in June. A fake Lancaster University site was created in May.

This is despite the US Department of Justice charging nine Iranians with hacks on universities in March, claiming the “Mabna Institute” group had stolen 31 terabytes of academic information universities in 22 countries. Since then, researchers have been painstakingly tracking the creation of new fake websites, seemingly by the same hacking group, which show the hacking attempts on universities have continued.

A spokesperson for the NCSC said: “Universities are a popular target for cyber actors seeking access to intellectual property, such as cutting-edge research. The NCSC supports the academic sector to help them to improve their security practices. This has included our Active Cyber Defence programme, which took down 23 attempts to spoof one university’s website. We urge universities to follow the best practice cybersecurity advice on the NCSC website.”

The hackers also used the internet’s padlock certificate system to try to fool victims into entering their passwords. Many web users believe the presence of a padlock in their browser means the site is safe to visit. In fact, it means only that information sent to and from the site is encrypted; the site itself could be fake or malicious.

The hackers successfully gained “domain validation” certificates from a US company called Let’s Encrypt, meaning victims could have been tricked into thinking the sites were legitimate because they displayed the padlock symbol. Let’s Encrypt told Forbes: “Browsers are misleading people about site safety when they display lock icons. Some people incorrectly interpret lock icons as a sign that a site’s content is safe or trustworthy, and that’s a completely separate issue from whether or not the connection is secure. We would like to see browsers stop displaying lock icons on the basis of the existence of a secure connection.”